TCP Drop
Table of Contents
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device Setup Ace
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
TCP Drop
To instruct the firewall what to do with certain TCP
packets it receives in the zone, specify the following settings.
Zone Protection Profile Settings—Packet
Based Attack Protection | Configured In | Description |
|---|---|---|
Mismatched overlapping TCP segment | NetworkNetwork ProfilesZone ProtectionPacket Based Attack ProtectionTCP Drop | Attackers can construct connections with
overlapping but different data in them to cause misinterpretation
of the connection. Attackers can use IP spoofing and sequence number
prediction to intercept a user’s connection and inject their own
data. Use this setting to report an overlap mismatch and drop the
packet when segment data does not match in these scenarios:
This
protection mechanism uses sequence numbers to determine where packets
reside within the TCP data stream. Drop
packets with mismatched overlapping TCP segments. |
Split Handshake | Prevent a TCP session from being established
if the session establishment procedure does not use the well-known three-way
handshake. A four-way or five-way split handshake or a simultaneous
open session establishment procedure are examples of variations
that would not be allowed. The Palo Alto Networks next-generation
firewall correctly handles sessions and all Layer 7 processes
for split handshake and simultaneous open session establishment
without configuring Split Handshake. When this
is configured for a zone protection profile and the profile is applied
to a zone, TCP sessions for interfaces in that zone must be established
using the standard three-way handshake; the variations are not allowed. Drop packets with split handshakes. | |
TCP SYN with Data | Prevent a TCP session from being established
if the TCP SYN packet contains data during a three-way handshake. Enabled
by default. | |
TCP SYNACK with Data | Prevent a TCP session from being established
if the TCP SYN-ACK packet contains data during a three-way handshake. Enabled
by default. | |
Reject Non-SYN TCP | Determine whether to reject the packet if
the first packet for the TCP session setup is not a SYN packet:
Allowing
non-SYN TCP traffic may prevent file blocking policies from working
as expected in cases where the client and/or server connection is
not set after the block occurs. If you configure Tunnel Content Inspection on
a zone and enable Rematch Sessions, then
for that zone only, disable Reject Non-SYN TCP so
that enabling or editing a Tunnel Content Inspection policy doesn’t
cause the firewall to drop existing tunnel sessions. | |
Asymmetric Path | Determine whether to drop or bypass packets
that contain out-of-sync ACKs or out-of-window sequence numbers:
| |
Strip TCP Options | Determine whether to strip the TCP Timestamp
or TCP Fast Open option from TCP packets. | |
TCP Timestamp | NetworkNetwork ProfilesZone ProtectionPacket Based Attack ProtectionTCP Drop | Determine whether the packet has a TCP timestamp
in the header and, if it does, strip the timestamp from the header. Strip the TCP timestamp from packets that
have it to prevent a timestamp DoS attack. |
TCP Fast Open | Strip the TCP Fast Open option (and data
payload, if any) from the TCP SYN or SYN-ACK packet during a TCP
three-way handshake. When this is cleared (disabled), the
TCP Fast Open option is allowed, which preserves the speed of a
connection setup by including data delivery. This functions independently
of the TCP SYN with Data and TCP SYN-ACK with Data. Disabled by default. | |
Multipath TCP (MPTCP) Options | MPTCP is an extension of TCP that allows
a client to maintain a connection by simultaneously using multiple
paths to connect to the destination host. By default, MPTCP support
is disabled, based on the global MPTCP setting. Review or
adjust the MPTCP settings for the security zones associated with
this profile:
# set
deviceconfig setting tcp strip-mptcp-option <yes|no> |